SQL Server security encryption and SQL injection attacks

Source: Internet
Author: User
Tags how to prevent sql injection how to prevent sql injection attacks least privilege

Comments: SQL Server has built-in encryption to protect various types of sensitive data. In many cases, this encryption technique is completely transparent to you. When data is stored, it is encrypted and used automatically. In other cases, you can choose whether the data is encrypted. SQL Server can encrypt the following components: · password SQL Server has built-in encryption to protect various types of sensitive data. In many cases, this encryption technique is completely transparent to you. When data is stored, it is encrypted and used automatically. In other cases, you can choose whether the data is encrypted. SQL Server can encrypt the following components:

· Password · stored procedures, views, triggers, user-defined functions, default values, and rules. · Data Encryption transmitted between the Server and the user SQL Server will automatically encrypt the password you assign to the login and application roles. Although you can view the system table directly from the primary database without the password. You cannot make any changes to this situation. In fact, you cannot destroy it at all. In some cases, object encryption prevents sharing information to others. For example, a stored process may contain the owner's business information, but this information cannot be seen by others, even if they publish a system table and can see the definition of objects. This is why SQL Server allows you to encrypt when creating an object. To encrypt a stored process, use the following creat procedure statement: create PROCEDURE procedurename [; number]
[@ Parameter datatype
[VARYING] [= defaultvalue] [OUTPUT]
[,…]
[With recompile | ENCRYPTION | RECOMPILE, ENCRYPTION] We only care about the optional WITH parameter. You can describe ARECOMPILE or ENCRYPTION in detail, or you can describe them at the same time. The ENCRYPTION keyword protects SQL Server from being exposed in the process. As a result, if ENCRYPTION is activated, the system storage process sp_helptext will be ignored, and the storage process will be stored in the text of the process created by the user. If you do not want ENCRYPTION, you can use alter PROCEDURE to ignore the with encryption clause to recreate a process. To be able to use encryption. Both users and servers should use TCP/IP NetworkLibraries for connection. Run the appropriate Network Utility and check Force protocol encryption. As shown in the following table, the connection between the user and the server will not be encrypted. Encryption cannot be completely free. After the connection is confirmed, other constructor will be continued, and the user and server must run code to interpret the encrypted and interpreted packages. Some overhead will be required here and the process will slow down when decoding. If the network package is out of your control, this is a good practice. What is missing during encryption? You can notice that there is something in this list that is encrypted: Data in your table. Before you store data, SQL Server does not provide any built-in tools to encrypt your data. If you need to protect data stored on SQL Server, we will give you two suggestions: first, you can use the GRANT and DENY keywords to control the data that you want to read in SQL Server. 2. If you really want to encrypt data, do not try to add a password. You can use the algorithms of tested commercial products. SQL injection attacks are a conventional attack that allows some unscrupulous users to retrieve your data and change server settings, or, when you are not careful, your server will be hacked. SQL injection attacks are not SQL Server problems, but inappropriate programs. If you want to run these programs, you must understand that this is at risk. Point Location weakness the weakness of SQL Injection occurs when the program developer constructs a where clause along with user input. For example, a simple ASP program allows users to enter a customer ID and then retrieve the names of all employees of the company. If the customer ID is returned as part of the request string of the ASP page, the developer can write the following code to obtain Data: strConn = "Provider = SQLOLEDB; Data Source = (local );"&_
"Database = Northwind; Integrated Security = SSPI"
Set cnn = Server. createObject ("ADODB. Connection ")
Cnn. Open strConn
StrQuery = "select ContactName FROM MERs "&_
"Where CustomerID = '" & Request. Form ("CustID ")&"'"
Set rstResults = cnn. Execute (strQuery)
Response. Write (rstResults. Fields ("ContactName"). Value) Do you know where the problem is? If you know a user's ID, you can retrieve all the corresponding names. Understand now?
To obtain additional data, of course, for an attack program, although it does not know the ID of any customer or even has to guess, it can also obtain data. To do this, it enters the following text into the textbox of the customer ID called by the application: customer ID:
'Union ALL select ContactName FROM MERs
Where CustomerID <> 'If you enter this code, you will see a query statement: select ContactName FROM Customers
Where CustomerID =''
Union ALL select ContactName FROM MERs
Where CustomerID <> ''obtains the Union of empty and non-empty customer IDs. This query statement returns all relevant names in the database. In fact, this union technique can be used to obtain a large majority of information in your database. Let's see the value of this CustomerID: 'Union ALL select firstname' 'lastname FROM
Employees where LastName <> 'It converts the SQL statement into: select ContactName FROM MERs
Where CustomerID =''
Union ALL select FirstName ''LastName FROM
Employees where LastName <> '': the name of the first employee that the attack program obtains from your database. More attack programs, If SQL injection only has the weakness of data exposure, are already bad enough. However, in fact, a good attack program can use this weakness to obtain all the information in your database. Let's take a look at the following example: '; drop TABLE MERs MERS; -- the SQL statement becomes: select ContactName FROM Customers
Where CustomerID =''
Drop TABLE MERs MERS; -- 'This semicolon isolates the statement from SQL Server. Therefore, there are actually two statements. The name of the first statement does not exist, and the second statement revokes the entire MERs table. Two-SQL Server annotator, which can enable the clause to avoid syntax errors. With this technology variation, an attack program can run on any SQL statement or stored procedure. By using xp_mongoshell to expand the stored procedure, an attack program can also run under the operating system command. Obviously, this is a serious vulnerability. Protect your own database. Do you know how to prevent SQL injection attacks? First, you cannot construct a where clause in user input. You should use parameters to use stored processes. On the initial ASP page, the rewritten part is similar to what we saw in the table. Even if you think there are no vulnerabilities in your application, you should follow the principle of least privilege. Use other security technologies we recommend to allow your users to access only what they can. When you do not find your database vulnerabilities, this will not cause your database to crash. Final suggestions

This is all SQL Server Security Series. Maybe you are not a comprehensive expert now, but you have learned a lot about the opposite. The next step is to protect your SQL Server data, remember what you learned here, and use your database to prevent your data from being attacked by those hackers.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.